From fcc8994e705e4bebf82e6cf194783ac9a2442e60 Mon Sep 17 00:00:00 2001 From: aldousalvarez Date: Tue, 22 Aug 2023 13:40:31 +0800 Subject: [PATCH] carbon accounting trivy scan --- .../workflows/trivy-container-scan.yaml | 53 +++++++++++++++++++ examples/carbon-accounting/Dockerfile | 2 +- .../corda-all-in-one/corda-v4_8/Dockerfile | 16 ++++-- 3 files changed, 65 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/.github/workflows/trivy-container-scan.yaml diff --git a/.github/workflows/.github/workflows/trivy-container-scan.yaml b/.github/workflows/.github/workflows/trivy-container-scan.yaml new file mode 100644 index 00000000000..dc3052d709b --- /dev/null +++ b/.github/workflows/.github/workflows/trivy-container-scan.yaml @@ -0,0 +1,53 @@ +name: trivy-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + + build: + name: Scan cactus-example-carbon-accounting table image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: | + DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'table' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + build2: + name: Scan cactus-example-carbon-accounting json image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: | + DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'json' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' \ No newline at end of file diff --git a/examples/carbon-accounting/Dockerfile b/examples/carbon-accounting/Dockerfile index cf74f0ead36..23d4363510d 100644 --- a/examples/carbon-accounting/Dockerfile +++ b/examples/carbon-accounting/Dockerfile @@ -37,7 +37,7 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | b RUN source ~/.bashrc && \ nvm install 16.15.1 && \ npm install -g yarn && \ - yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production + yarn add @hyperledger/cactus-example-carbon-accounting-backend@1.1.3 --ignore-engines --production SHELL ["/bin/bash", "--login", "-c"] diff --git a/tools/docker/corda-all-in-one/corda-v4_8/Dockerfile b/tools/docker/corda-all-in-one/corda-v4_8/Dockerfile index 513908bee25..3ba2065aa06 100644 --- a/tools/docker/corda-all-in-one/corda-v4_8/Dockerfile +++ b/tools/docker/corda-all-in-one/corda-v4_8/Dockerfile @@ -1,8 +1,8 @@ -FROM docker:24.0.2-dind +FROM docker:24.0.5-dind # cordaVersion=4.8.5 # cordaCoreVersion=4.8.5 -ARG SAMPLES_KOTLIN_SHA=1504878ce446555bd861bbe4dd3d1154e905a07f +ARG SAMPLES_KOTLIN_SHA=8ce33f57ad1dd77f721af4d1f59d72f3d331fd0c ARG SAMPLES_KOTLIN_CORDAPP_SUB_DIR_PATH="./Advanced/obligation-cordapp/" ARG CORDA_TOOLS_SHELL_CLI_VERSION=4.8 @@ -11,7 +11,7 @@ WORKDIR / RUN apk update # Install dependencies of Docker Compose -RUN apk add py-pip python3-dev libffi-dev openssl-dev gcc libc-dev make +RUN apk add docker-cli docker-cli-compose # Install git so we can check out the kotlin-samples repo of Corda RUN apk add --no-cache git @@ -25,16 +25,22 @@ RUN apk add --no-cache curl # The file binary is used to inspect exectubles when debugging container image issues RUN apk add --no-cache file -RUN apk add --no-cache openjdk8 +RUN apk add --no-cache openjdk11 # Need gradle to execute the corda sample app setup commands RUN apk add --no-cache gradle +RUN gradle --version + ENV CACTUS_CFG_PATH=/etc/hyperledger/cactus RUN mkdir -p $CACTUS_CFG_PATH +# Need to install augtool for manipulating the SSH configuration files below +RUN apk add --no-cache augeas + +RUN apk upgrade # OpenSSH - need to have it so we can shell in and install/instantiate contracts and troubleshoot -RUN apk add --no-cache openssh augeas +RUN apk update && apk --no-cache upgrade openssh-client # Configure the OpenSSH server we just installed RUN augtool 'set /files/etc/ssh/sshd_config/AuthorizedKeysFile ".ssh/authorized_keys /etc/authorized_keys/%u"'